Astro Cloudflare Adapter - Server Side Request Forgery

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

VulnCheck KEV: CVE-2025-58179

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

CVE-2026-41321

@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...

@anyauth/design-system (>=0.5.0 <=0.5.1), @anyauth/shared-deps (=0.1.0) +21 more potentially affected by CVE-2026-41321 via @astrojs/cloudflare (>=10.4.2 <=12.6.13)

@astrojs/cloudflare NPM version =10.4.2, =0.5.0, =1.0.10, =1.1.0, =4.3.2, =1.11.0, =0.0.0-add-workerconfig-to-context--20250905094004-b98e1fec-20250905074005, =0.1.0, =3.0.0, =1.1.0, =0.1.2, =1.0.1, =1.0.4 and more Source cves: CVE-2026-41321 Source advisory: OSV:GHSA-88GM-J2WX-58H6...

CVE-2025-65019

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter @astrojs/cloudflare with output: 'server', the image optimization endpoint /image contains a critical vulnerability in the isRemoteAllowed function that unconditionally allows data: protocol URLs. This enable...

EUVD-2025-198182

Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /image endpoint...

GHSA-FVMW-CJ7J-J39Q Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Summary A Cross-Site Scripting XSS vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint /image uses isRemoteAllowed from Astro’s internal helpers, which unconditionally allows data: URLs. When the endpoint receive...

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Summary A Cross-Site Scripting XSS vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint /image uses isRemoteAllowed from Astro’s internal helpers, which unconditionally allows data: URLs. When the endpoint receive...

CVE-2025-65019

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter @astrojs/cloudflare with output: 'server', the image optimization endpoint /image contains a critical vulnerability in the isRemoteAllowed function that unconditionally allows data: protocol URLs. This enable...

CVE-2025-65019 Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter @astrojs/cloudflare with output: 'server', the image optimization endpoint /image contains a critical vulnerability in the isRemoteAllowed function that unconditionally allows data: protocol URLs. This enable...

CVE-2025-65019 Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter @astrojs/cloudflare with output: 'server', the image optimization endpoint /image contains a critical vulnerability in the isRemoteAllowed function that unconditionally allows data: protocol URLs. This enable...

CVE-2025-65019

Astro CVE-2025-65019 affects the Cloudflare adapter when using output: 'server'. The image optimization endpoint /_image unconditionally allows data: URLs via isRemoteAllowed(), enabling XSS through malicious SVG payloads that the browser can execute after a 302 redirect. Affected components: @as...

CVE-2025-65019 Astro Cloudflare adapter has a Stored Cross Site Scripting vulnerability in /_image endpoint

Astro is a web framework. Prior to version 5.15.9, when using Astro's Cloudflare adapter @astrojs/cloudflare with output: 'server', the image optimization endpoint /image contains a critical vulnerability in the isRemoteAllowed function that unconditionally allows data: protocol URLs. This enable...

PT-2025-47490

Name of the Vulnerable Software and Affected Versions Astro versions prior to 5.15.9 Description Astro, a web framework, has an issue when using the Cloudflare adapter @astrojs/cloudflare with output set to 'server'. The image optimization endpoint '/ image' includes a flaw in the isRemoteAllowed...

EUVD-2025-26878

Malicious code in bioql PyPI...

EUVD-2025-18433

Malicious code in bioql PyPI...

CVE-2025-58179

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

Server-side Request Forgery (SSRF)

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /image endpoint. An attacker can access internal or unauthorized resources by submitting crafted URLs to the generated image...

CVE-2025-58179

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

Astro 代码问题漏洞

Astro is an Astro open source web framework for content-driven websites. A code issue vulnerability exists in Astro versions 11.0.3 through 12.6.5 that stems from the presence of SSRF in the Cloudflare adapter, which could allow bypassing third-party domain restrictions...